|
|
|
When you enable the SURROGATE class in CA Access Control, you enable user impersonation protection. User impersonation protection lets you specify that a user or group can only change their SID (security identifier) to another SID if a specific rule permits the change. This prevents a user from impersonating another user's identity if they are not authorized to do so.
Note: A security identifier is a numeric value that identifies a user or group to the operating system.
For example, you define a CA Access Control rule that prevents any user from impersonating Administrator. User Tom tries to run a program that performs some tasks as Administrator. CA Access Control does not permit the program to execute because Tom does not have permission to impersonate Administrator.
You can run user impersonation protection in two modes:
| Copyright © 2012 CA. All rights reserved. | Tell Technical Publications how we can improve this information |